npm - @hostwebhook/template-engine - Versions diffs - 1.2.0 → 1.3.1 - Mend

@hostwebhook/template-engine 1.2.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -84,6 +84,12 @@ declare function resolveInput(value: string | undefined | null, payload: unknown
  */
 declare function resolveFieldPath(field: string): string;
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -116,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.d.ts CHANGED Viewed

@@ -84,6 +84,12 @@ declare function resolveInput(value: string | undefined | null, payload: unknown
  */
 declare function resolveFieldPath(field: string): string;
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -116,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.js CHANGED Viewed

@@ -38,6 +38,7 @@ __export(index_exports, {
   resolvePath: () => resolvePath,
   tryNullCoalesce: () => tryNullCoalesce,
   tryTernary: () => tryTernary,
+  validateCode: () => validateCode,
   valueToString: () => valueToString
 });
 module.exports = __toCommonJS(index_exports);
@@ -46,6 +47,10 @@ module.exports = __toCommonJS(index_exports);
 function resolvePath(path, ctx) {
   const [prefix, ...rest] = path.split(".");
   const key = rest.join(".");
+  if (path === "$now") return (/* @__PURE__ */ new Date()).toISOString();
+  if (path === "$timestamp") return Date.now();
+  if (path === "$date") return (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  if (path === "$time") return (/* @__PURE__ */ new Date()).toISOString().slice(11, 19);
   let source;
   switch (prefix) {
     case "payload":
@@ -90,6 +95,72 @@ function valueToString(val) {
 // src/sandbox.ts
 var vm = __toESM(require("vm"));
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -120,16 +191,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -141,7 +219,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -150,9 +229,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -446,6 +537,12 @@ var vm2 = __toESM(require("vm"));
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -565,5 +662,6 @@ function resolveFieldPath(field) {
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 });

package/dist/index.mjs CHANGED Viewed

@@ -2,6 +2,10 @@
 function resolvePath(path, ctx) {
   const [prefix, ...rest] = path.split(".");
   const key = rest.join(".");
+  if (path === "$now") return (/* @__PURE__ */ new Date()).toISOString();
+  if (path === "$timestamp") return Date.now();
+  if (path === "$date") return (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  if (path === "$time") return (/* @__PURE__ */ new Date()).toISOString().slice(11, 19);
   let source;
   switch (prefix) {
     case "payload":
@@ -46,6 +50,72 @@ function valueToString(val) {
 // src/sandbox.ts
 import * as vm from "vm";
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -76,16 +146,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -97,7 +174,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -106,9 +184,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -402,6 +492,12 @@ import * as vm2 from "vm";
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -520,5 +616,6 @@ export {
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hostwebhook/template-engine",
-  "version": "1.2.0",
+  "version": "1.3.1",
   "description": "Template interpolation and sandboxed JS execution engine for HostWebhook",
   "main": "dist/index.js",
   "module": "dist/index.mjs",